Socket.io-parser version used by Fluid Framework has a security vulnerability

[christiango]

We're getting an alert in a downstream repo that the socket.io-parser version being used by Fluid Framework (3.3.1 via socke.io-client). The recommendation is to get on socket.io-parser 3.4.1 or later.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36049

[curtisman]

The fix is back ported to socket.io-parser 3.3.2: https://github.com/socketio/socket.io-parser/releases/tag/3.3.2
And the dependency from socket.io-client is ~3.3.0. So an update to your lock file should suffice.

[christiango]

The component governance tool does not seem to recognize the 3.3.2 as a resolution, so this will probably keep showing up in people's component governance until someone updates the mitigations to include 3.3.2. Not sure how these vulnerabilities get updated

It would probably also be great if we could depend on a version of socket.io-client that has the fix as the minimum version aka ~3.3.2 rather than ~3.3.0 to make sure no one can install the vulnerable version, but it doesn't seem socket.io has released a version of socket.io-client like this

[curtisman]

Looking at this closed PR, I don't think they are planning to update socket.io-client:

[ghost]

This issue has been marked as being beyond the support scope of Fluid Frameworks's issue board. It will now be closed automatically for house-keeping purposes.